webmin -- insecure temporary file creation at installation time

Details

VuXML ID

ae7b7f65-05c7-11d9-b45d-000c41e2cdad

Discovery

2004-09-05

Entry

2004-09-14

Modified

2004-09-15

The Webmin developers documented a security issue in the
release notes for version 1.160:

Fixed a security hole in the maketemp.pl script, used
to create the /tmp/.webmin directory at install time. If
an un-trusted user creates this directory before Webmin
is installed, he could create in it a symbolic link
pointing to a critical file on the system, which would be
overwritten when Webmin writes to the link filename.